Remarks 

Claims 1, 12, and 21 are amended. Claims 1, 4-12, 16-21, and 24-28 are 
pending. In view of the following remarks, Applicant respectfully requests 
reconsideration of the rejections. 

5 

Examiner Interview 

Counsel would like to thank Examiner Williams for a telephonic interview 
on October 14, 2010. During the interview, proposed amendments to independent 
claims 1, 12, and 21 were discussed with respect to the § 101 rejections. In light 
10 of the interview, counsel provided proposed amendments. Examiner Williams 
indicated that such amendments would remove the § 101 rejections. Accordingly, 
the proposed amendments to independent claims 1,12, and 21 are included above. 
Applicant sincerely appreciates the Examiner's willingness to work with 
Applicant in advancing prosecution. 

15 

§101 Rejections 

Claims 1 and 4-1 1 stand rejected under 35 U.S.C. § 101 as allegedly being 
directed to non-statutory subject matter for "failing to be tied to a particular 
machine. . .the recitation of 'a computing device' [is] not necessarily stated or 
20 claimed to be embodied in hardware structure" (Office Action, pg. 3). Applicant 
respectfully disagrees. However, in the interest of advancing meaningful 
prosecution, claim 1 has been amended as indicated above to further clarify its 
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statutory nature. Applicant respectfully requests withdrawal of the Office's § 101 
rejection of claim 1 . Claims 4-1 1 are statutory as depending from a statutory base 
claim. 

Claims 12, 16-21, and 24-28 stand rejected under 35 U.S.C. § 101 as 
5 allegedly being directed to non-statutory subject matter for not appearing "to 
preclude the use of signals" (Office Action, pg. 3). Applicant respectfully 
disagrees and submits that computer storage media is indeed statutory. However, 
to further clarify the statutory nature of computer storage media, claims 12 and 21 
have been amended as indicated above to further clarify their statutory nature. 
10 Claims 16-20 and 24-28 are statutory as depending from a statutory base claim. 
Applicant respectfully requests withdrawal of the Office's § 101 rejections of 
claims 12, 16-21, and 24-28. 

§ 102 Rejections 

15 Claims 1, 4-12, 16-21, and 24-28 stand rejected under 35 U.S.C. § 102(b) 

as allegedly being anticipated by "Abstracting Application-Level Web Security" 
by Scott et al. (hereinafter "Scott"). 

For the reasons set forth below, Applicant respectfully traverses the 
Office's rejections. 
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The Claims 



Claim 1 has been amended and, as amended, recites a computer- 
implemented method, comprising [emphasis added]: 

• receiving, with a computing device that includes software and hardware 
5 on which the software operates, data input through a web page from a 

client device; 

• referencing a declarative module, embodied on computer storage 
media associated with the computing device, to determine a client input 
security screen to apply to the data input from the client device, wherein 

10 the declarative module comprises: 

• a global section that includes at least one client input security screen 
that applies to any type of client input value; and 

• an individual values section that includes at least one client input 
security screen that applies to a particular type of client input value; and 

15 • applying, using the computing device, multiple client input security 

screens to the data input from the client device, including at least one 
client input security screen from the global section of the declarative 
module and at least one client input security screen from the individual 
values section of the declarative module, wherein the client input 

20 security screens are distinct from one another, and wherein said act of 

referencing comprises first using the global section to screen one or 
more client input values and then using the individual values section 
to screen at least one of said one or more client input values. 

25 In making out the rejection of claim 1, the Office argues that its subject 

matter is allegedly anticipated by Scott. Applicant respectfully disagrees. For the 
reasons set forth below, Applicant respectfully traverses the Office's rejection. 

Scott on pg. 3, col. 2, para. 2, merely describes a policy compiler 
responsible for generating Security Policy Description Language (SPDL) code 

30 which is loaded into a security gateway which acts as a firewall. Missing is any 
discussion of "referencing a declarative module..." as claimed. As such, 
Applicant submits that the Office's reliance on this excerpt is misplaced. 
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Additionally, Fig. 2 and pg. 6 (col. 1 - paras. 1-2) of Scott simply fail to 
disclose "a global section. . ." as claimed. Specifically, with respect to Fig. 2, this 
figure shows a Document Type Definition (DTD) specifying two individual types 
of client values nested under the policy element, namely a Universal Resource 
5 Locator (URL) type ("Element URL" which in turn has a URL-parameter type: 
"Element parameter" nested under it) and a cookie type ("Element cookie" nested 
under "Element URL"). In this regard, the URL -parameter type and the cookie 
type each are shown as potentially having a validation type ("Element validation") 
and transformation type ("Element transformation") nested below them. Since 

10 Fig. 2, at best, shows two individual types of client values, neither the nested 

transformation type (for individual client value types URL-parameter and cookie) 
nor any other feature shown in Fig. 2 can be said to disclose "a global section . . . 
that applies to any type of client input' as this is understood in the context of the 
claim language (e.g., "a global section ... and an individual values section...") or 

1 5 in the context of the subject application. 

In this regard, and by way of example and not limitation, the Office is 

directed to pg. 9 (lines 16-20) of the subject application which describes "all types 

of input values" screened by "a global screening portion". This excerpt is 

reproduced below for the Office's convenience (emphasis added): 

20 As previously stated, the global screening portion 234 screen all 

types of input values: URL parameters, header values, form values 
and cookies. Therefore, any screened values will be screened from 
all these types of values in the global screening portion 234. 
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Furthermore, with respect to pg.6 (col. 1 - paras. 1-2), this excerpt merely 
describes the two individual types of client values identified in the DTD shown in 
Fig. 2 (i.e., the URL-parameter and cookie client value types). Accordingly, for 
the reasons given above, this excerpt cannot be said to disclose "a global section 
5 ... that applies to any type of client input' either. 

Finally, even if Scott did disclose "a global section. . ." as claimed, which it 
does not, Section 3.4 fails to disclose ". . .first using the global section " as claimed 
- and instead actually teaches away from this subject matter. Paras. 1-3 of Section 
3.4 describe Fig. 4, which depicts an algorithm that first checks parameters and 
10 cookies (which the Office equates with an individual values section (see Office 
Action, pg. 5)), then applies transformations (which the Office equates with a 
global section (Office Action, pg. 4)). Accordingly, by teaching an algorithm that 
first checks parameters and cookies and then applies transformations, Fig. 4 and 
paras. 1-3 teach directly away from ". . .first using the global section ". As such, 
15 the Office's reliance on Section 3.4 is misplaced. 

Accordingly, in view of the above discussion, Scott fails to disclose the 
subject matter of claim 1. Hence, for at least this reason, claim 1 is allowable. 

Claims 4-11 depend from claim 1 and are allowable as depending from an 
allowable base claim. These claims are also allowable for their own recited 
20 features which are neither shown nor suggested by the reference of record. 

Claim 12 has been amended and, as amended, recites a system, comprising 
[emphasis added]: 
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• a web page server unit, embodied on one or more computer storage 
media and configured to provide one or more web pages to one or more 
client devices over a distributed network; 

• means for receiving client input data; 

5 • a declarative module, embodied on computer storage media and 

configured to include multiple client input security screens that declare 
screening rules for client input, wherein the declarative module 
comprises: 

• a global section that includes one or more client input security screens 
1 0 that are applied to all types of client input; and 

• an individual values section that includes one or more client input 
security screens that are applied to specified types of client input; and 

• a client input security screening unit configured to apply the screening 
rules for client input to the client input data and to perform one or more 

15 actions on invalid client input data, wherein the screening rules are from 

distinct client input security screens from the global section and the 
individual values section, wherein the client input security screening 
unit is configured to first use the global section to screen one or more 
client input values and then use the individual values section to screen 

20 at least one of said one or more client input values, and wherein the one 

or more computer storage media does not comprise a signal. 

In making out the rejection of claim 12, the Office argues that its subject 

matter is allegedly anticipated by Scott. Applicant respectfully disagrees. For the 

25 reasons set forth below, Applicant respectfully traverses the Office's rejection. 

As noted above, pg. 3 (col. 2 - para. 2) of Scott merely describes a policy 
compiler responsible for generating SPDL code which is loaded into a security 
gateway which acts as a firewall. Missing is any discussion of "a declarative 
module" as claimed. Additionally, Fig. 2 andpg. 6 (col. 1 - paras. 1-2) of Scott 

30 simply fail to disclose "a global section. . ." as claimed. Specifically, with respect 
to Fig. 2, this figure shows a DTD specifying two individual types of client values 
nested under the policy element. Neither the nested transformation type (for 
individual client value types URL-parameter and cookie) nor any other feature 
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shown can be said to disclose "a global section that includes one or more client 
input security screens that are applied to all types of client input". Furthermore, 
with respect to pg. 6 (col. 1 - paras. 1-2), this excerpt merely describes the two 
individual types of client values identified in the DTD shown in Fig. 2 and 
5 therefore cannot be said to disclose this subject matter either. 

Finally, even if Scott did disclose "a global section. . ." as claimed, which it 
does not, Section 3.4 and Fig. 4 describe/depict an algorithm that first checks 
parameters and cookies and then applies transformations. As noted above, this not 
only fails to teach "... to first use the global section " as claimed, but in point of 
10 fact actually teaches directly away from it. As such, the Office's reliance on 
Section 3.4 is misplaced. 

Accordingly, in view of the above discussion, Scott fails to disclose the 
subject matter of claim 12. Hence, for at least this reason, claim 12 is allowable. 

Claims 16-20 depend from claim 12 and are allowable as depending from 
1 5 an allowable base claim. These claims are also allowable for their own recited 
features which are neither shown nor suggested by the reference of record. 

Claim 21 has been amended and, as amended, recites one or more 
computer-readable storage media containing computer-executable instructions 
that, when executed on a computer, implement a method comprising [emphasis 
20 added]: 

• serving a web page to a client over a distributed network; 

• receiving client input via the web page; 
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• comparing the client input with multiple and distinct client input 
security screens stored in a security declarative module, wherein the 
security declarative module includes a global section configured to 
screen all types of client input values and an individual values section 

5 configured to screen particular types of client input values, wherein the 

global section is used to first screen one or more client input values 
and then the individual values section is used to screen at least one of 
the one or more client input values; 

• if invalid client input is detected, performing a screening action on the 
1 0 invalid client input as indicated by the security declarative module, 

wherein the client input security screens included in the security 
declarative module can be applied to multiple web pages, and 
wherein the one or more computer-readable storage media does not 
comprise a signal. 

15 

In making out the rejection of claim 21, the Office argues that its subject 
matter is allegedly anticipated by Scott. Applicant respectfully disagrees. For the 
reasons set forth below, Applicant respectfully traverses the Office's rejection. 
As noted above, pg. 3 (col. 2 - para. 2) of Scott merely describes a policy 

20 compiler responsible for generating SPDL code which is loaded into a security 
gateway which acts as a firewall. Missing is any discussion of "a security 
declarative module" as claimed. Unfortunately, the Office has not provided an 
explanation as to which specific features from this excerpt it is relying on and 
equating with this subject matter. Nevertheless, Applicant has thoroughly 

25 searched the entire Scott reference (including Fig. 5 and pgs. 3, 4 and 6) and is 
unable to find any discussion of this subject matter. As such, Fig. 5 and pgs. 3, 4 
and 6 cannot possibly disclose "if invalid client input is detected, performing a 
screening ... as indicated by the security declarative module" as claimed. 
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Furthermore, Fig. 2 and pg. 6 (col. 1 - paras. 1-2) of Scott simply fail to 
disclose "a global section. . ." as claimed. Specifically, with respect to Fig. 2, this 
figure shows a DTD specifying two individual types of client values nested under 
the policy element. Neither the nested transformation type (for individual client 
5 value types URL-parameter and cookie) nor any other feature shown in Fig. 2 can 
be said to disclose "a global section configured to screen all types of client input 
values. Furthermore, with respect to pg. 6 (col. 1 - paras. 1-2), this excerpt 
merely describes the two individual types of client values identified in the DTD 
shown in Fig. 2 and therefore cannot be said to disclose this subject matter either. 

10 Finally, even if Scott did disclose "a global section. . ." as claimed, which it 

does not, Section 3.4 and Fig. 4 describe/depict an algorithm that first checks 
parameters and cookies and then applies transformations. As noted above, this not 
only fails to teach "... to first use the slobal section " as claimed, but in point of 
fact actually teaches directly away from it. As such, the Office's reliance on 

15 Section 3.4 is misplaced. 

Accordingly, in view of the above discussion, Scott fails to disclose the 
subject matter of claim 21. Hence, for at least this reason, claim 21 is allowable. 

Claims 24-28 depend from claim 2 1 and are allowable as depending from 
an allowable base claim. These claims are also allowable for their own recited 

20 features which are neither shown nor suggested by the reference of record. 
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Response to Response to Arguments: 

Applicant disagrees with the Office's statements in the "Response to 
Arguments" section and wishes for the record to reflect that the amendments 
above in no way constitute an admission of the propriety of the rejections or an 
5 acquiescence to the statements that appear in the "Response to Arguments" 
section. 



Conclusion 

All of the claims are in a condition for allowance. Accordingly, Applicant 



10 respectfully requests that the Office issue a Notice of Allowability. If the Office's 
next anticipated action is to be anything other than issuance of a Notice of 
Allowability, Applicant respectfully requests a telephone call for the purpose of 
scheduling an interview. 



15 



Respectfully submitted, 



Dated: 11/18/2010 



By: /Lance R. Sadler/ 



20 



Lance R. Sadler 
Reg. No. 38605 
(509) 755-7251 
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